Didier Stevens

Sunday 26 February 2017

Update: translate.py Version 2.4.0

Filed under: My Software,Update — Didier Stevens @ 9:19

I added a feature similar to “here files” to translate.py. It’s something I already did in xor-kpa.py.

In stead of using an input filename, the content can also be passed in the argument. To achieve this, precede the text with character #.
If the text to pass via the argument contains control characters or non-printable characters, hexadecimal (#h#) or base64 (#b#) can be used.

Example:
translate.py #h#89B5B4AEFDB4AEFDBCFDAEB8BEAFB8A9FC “byte ^0xDD”
Output:
This is a secret!

translate_v2_4_0.zip (https)
MD5: B33830C68D8A8A7534AF178243658E70
SHA256: A01AB10FCE42664869C4E31DB1AB2E1E0237172D0AE9685549A09BF866D7F885

Saturday 25 February 2017

Update: rtfdump.py Version 0.0.5

Filed under: My Software,Update — Didier Stevens @ 10:28

This new version of rtfdump.py adds object extraction (-E) and can also handle objects obfuscated with \dde0000…

20170225-112653

rtfdump_V0_0_5.zip (https)
MD5: 14475C70D992FB72306D5F83815DDE19
SHA256: A26A60536509BA7CF55FF1876E8BC3A6DBA43F1EF8841F159D55411FD11B5078

Wednesday 22 February 2017

Update: base64dump.py Version 0.0.6

Filed under: My Software,Update — Didier Stevens @ 0:00

After searching with base64dump for encoded strings in this maldoc sample, I decided to add an option to base64dump to check all encodings automatically.

Use option -e with value all to try out all encodings, and report all found strings ordered by increasing length. And with option -u, you can limit the output to unique decoded strings.

zipdump.py -s 5 -d output.docx.vir.zip | base64dump.py -e all -u

20170221-202720

base64dump_V0_0_6.zip (https)
MD5: CDC956FAFD7AC2A86C9CD40EC188C7FC
SHA256: BFBCFA51DDC47793C8CA397B261E036701543610F637CE8813BC5870FC4B2C2F

Tuesday 31 January 2017

Update: zipdump.py Version 0.0.5

Filed under: My Software,Update — Didier Stevens @ 0:00

A small feature in this new version: start the -E option value with # to count and group.

Example:

C:\Demo>zipdump.py -E “#%HEADASCII%;%HEADHEX%” Book1.xlsm
1: –…………..;d0cf11e0a1b11ae10000000000000000
1: <xml xmlns:v=”ur;3c786d6c20786d6c6e733a763d227572
12: <?xml version=”1;3c3f786d6c2076657273696f6e3d2231
zipdump_v0_0_5.zip (https)
MD5: 5F49895D3EA97A870ECB1E262A738A04
SHA256: E16CE5A426840D2804E5EF544CF334715F501D0892496D02B6C5000B18CE10BA

Sunday 29 January 2017

Update: FileScanner Version 0.0.0.4

Filed under: My Software,Update — Didier Stevens @ 0:00

I released this new version of FileScanner at the end of 2015, but forgot to announce it here on my blog.

This new version also scans Alternate Data Streams.

FileScanner_V0_0_0_4.zip (https)
MD5: 4BB8F475328B9EB214E6B9405F84816E
SHA256: 5D3B1408C5D2BD17C0441D0D9D0DA565E8D690DE792971092956F4CA10D5A071

Saturday 28 January 2017

Update: byte-stats.py Version 0.0.5

Filed under: My Software,Update — Didier Stevens @ 8:37

This new version of byte-stats.py adds statistics for hexadecimal and base64 characters:

$byte-stats.py all.bin

Byte ASCII Count     Pct
0x00           1   0.39%
0x01           1   0.39%
0x02           1   0.39%
0x03           1   0.39%
0x04           1   0.39%
...
0xfb           1   0.39%
0xfc           1   0.39%
0xfd           1   0.39%
0xfe           1   0.39%
0xff           1   0.39%

Size: 256

                   File(s)
Entropy:           8.000000
Unique bytes:           256 100.00%
NULL bytes:               1   0.39%
Control bytes:           27  10.55%
Whitespace bytes:         6   2.34%
Printable bytes:         94  36.72%
High bytes:             128  50.00%
Hexadecimal bytes:       22   8.59%
BASE64 bytes:            65  25.39%

byte-stats_V0_0_5.zip (https)
MD5: B79C6DF0964C9BA676D88E2085ACF037
SHA256: B9112274BD757FB3311883B0CF179ABDEC149C421EFEB335D70AF972495A5C20

Wednesday 28 December 2016

Update: pdf-parser Version 0.6.7

Filed under: My Software,PDF,Update — Didier Stevens @ 12:03

I added option -k to search for keys in dictionaries. A usage example can be found in blog post “PDF Analysis: Back To Basics“.

pdf-parser_V0_6_7.zip (https)
MD5: D04D7DA42F3263139BC2C7E7B2621C91
SHA256: ED863DE952A5096FF4BE0825110D2726BA1BE75A7A6717AF0E6A153B843E3B78

Wednesday 14 December 2016

Update: pecheck.py Version 0.6.0 – Overview Of Resources

Filed under: Malware,My Software,Update — Didier Stevens @ 0:00

This new version can produce a compact overview of all the resources in a PE file using option o: -o r.  Here is the overview of resources in an exe (malware) created with iexpress:

20161213-215750

It contains a cab file with 2 executables, which are executed after extraction (no surprise):

20161213-220001

pecheck-v0_6_0.zip (https)
MD5: D3A9C71AAF63D83884B4FEF2C2C21D03
SHA256: 08DB82F190AEEB065A65FEE0DD03D20B0CC788878C4864B537BBD1807E4D6B71

Monday 12 December 2016

Update: oledump.py Version 0.0.26

Filed under: My Software,Update — Didier Stevens @ 0:00

Just a small change in this version: an indicator (O) for streams containing OLE 1.0 embedded data:

20161211-203401

And plugin_http_heuristics also detects XOR-encoding starting with the second character of the key.

oledump_V0_0_26.zip (https)
MD5: 62030DEC6DBC2F69A37893FF1624F8EE
SHA256: A0DE8FD414A0B78FE8D72CAA58D8FA15159A7ABEA9842181C4C3C4EC1DE2EEC5

Friday 9 December 2016

Update: pecheck.py Version 0.5.2

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version displays information about the signature (provided pyasn1 is installed), and adds option -g to extract data (pefile.get_data) from the pefile like resources.

Options -x, -a, -D and -S can be used to dump data (hex, ascii, binary and strings).

pecheck-v0_5_2.zip (https)
MD5: A4FF0507C206535FA9224F65CCD3497D
SHA256: DE4D06F00FD9EC74FD52689B711FBF10F953F14DAFACBDE214E0A4947E60D8A6

Next Page »

Blog at WordPress.com.